Biz & IT —

How to harden your smartphone against stalkers—Android edition

With great power comes great responsibility, so lock up that smartphone.

Check for root

All Android phones have the ability to be "rooted." Really, this is the act of adding an application the operating system called "su," which stands for "super user." When a phone is rooted, or has this application installed, the user has much more control over the phone. Most normal people root their Android handsets as a first step in installing a custom ROM, or a modified operating system. But rooting the phone also allows apps to bypass certain security settings and do things to the phone that they wouldn't normally be able to do.

If you aren't familiar with rooting and someone has rooted your phone for you, you might not have noticed. This isn't necessarily a lengthy process involving many hours tinkering with the phone attached to the computer. Rather, there are one-click apps that can root a phone in a few seconds.

Once rooted, there are some incredibly, heart-palpitatingly creepy apps that can be installed on your phone and used for stalking. Some of these apps are developed in innocence and good faith for users who want more flexible access to their phone. Still, there's little that prevents them from being used in a negative way.

For example, take WebKey, an app that requires a rooted phone. Once it's installed, users can remotely log into WebKey's website and control the phone from their browser. A stalker who has installed WebKey on a victim's phone can, during periods which they might know a phone is unattended, check call or message logs, view the browser history, or turn on GPS to see where the phone (and hence possibly its owner) are. They could open the camera application to see what's going on where the phone is right now. They could turn on a voice memo app to record a conversation in the room, save it to the SD card, and download it right to their computer. Or they could just passively watch everything that you do on your phone's screen. The app can be set to maintain a constant connection and it's possible to turn off the icon in the status bar that shows the app is running. It can pretty easily go unnoticed. Turning off the phone will stop its ability to track, but a setting in the app will start the app as soon as the phone is turned on.

WebKey can track a phone's location based on its GPS or the WiFi network it's connected to.

WebKey access displayed in the browser. The touch screen displayed is functional, and text can be entered into the phone in the field to the right.

There are many apps similar to WebKey, such as AirDroid and Droid Control, that are all built for similar levels of remote access and were developed with innocent intent (as far as we can tell). Often these apps require that the phone and remote access PC be connected to the same WiFi network, though a committed stalker might think nothing of sitting outside a target house to access its WiFi connection (which reminds us: secure your WiFi network!).

Other apps are less innocent. One developed in Japan called Karelog (translates to "boyfriend log") is designed to be installed on a significant other's phone and tracks its GPS location in a log that is accessible by Karelog's website with a login and password. This one doesn't require rooting, but does have monthly fees and is all in Japanese.

A screenshot of Karelog, the boyfriend-tracking app.

We note again that there are not, to our knowledge, any recorded cases of these apps, or any similar apps, being used for stalking. This also isn't a knock against rooting or anyone who might develop remote access apps. But we all need to be careful about how they might be used.

An Android phone displaying the Superuser Permission app (far left, second from top) and WebKey (third row, second from left).

To check if your phone is rooted, go into Applications and look for an app titled "Superuser Permission" with an icon that looks like an Android mascot skull and crossbones. In some cases, the app may not be there. Another app called Root Explorer can make the Superuser Permission app not appear. If you see none of these, search for a terminal client in the Google Play store, download one, and open it. If a line starts with the pound sign (#), the phone is rooted. If you see a $ instead, type in su and press enter. A dialog may pop up asking permission for the SuperUser app to run; tell it yes. If the $ changes to a #, your phone is rooted. If any of these signs are present and you didn't do it, now is the time to be suspicious.

Casey Johnston
Casey Johnston is the former Culture Editor at Ars Technica, and now does the occasional freelance story. She graduated from Columbia University with a degree in Applied Physics. Twitter@caseyjohnston